Vlan isolation

I've got a bunch of VLANS set up that are trunked into pfSense from an SG300 Switch.

I want to keep VLAN 10, VLAN 30, VLAN 50, VLAN 60 isolated so they can only access the internet.

Is there a better solution than creating Aliases for Each VLAN that include the networks of all the other VLANS
(which is error prone and something could get forgotten if VLANs are added/removed) and then adding a BLOCK
OUTGOING firewall rule to each interface that uses the block list to block all other VLANs?

Is this the right/best approach? (See METHOD 1 Below)

Since all VLANs are in the 192.168.0.0/16 space is there a better way to do this? (Something like METHOD 2 below)

How would restrictive firewall rules be integrated into this method?

If I just had a LAN, I would likely have something like:
ALLOW SSH (With allowed hosts alias), HTTP, HTTPS, IMAP (with allowed hosts alias)
and rely on the default block to catch anything else that shouldn't be going out.
If I understand things correctly ALLOW VLANxx/Address would match and bypass
the rest of the rules. Am I correct?

I've done a lot of Google searches, but the complexity of the extra VLANs isn't discussed or not very detailed.